3rd Party Risk Management , Access Management , Application Security
Unpatched Atlassian Confluence 0-Day Exploited in the Wild
Vulnerability Affects Up-to-Date Versions of Confluence Server and Data CenterA zero-day vulnerability in Atlassian Confluence, a workspace collaboration tool that has more than 75,000 customers and serves millions of daily active users, is being targeted in the wild. The flaw, according to the company's security advisory, gives attackers unauthenticated remote code execution privileges.
See Also: The Power of Next-Generation SD-WAN with App-Defined Fabric
The bug, tracked as CVE-2022-26134, affects "all supported versions of Confluence Server and Data Center," Atlassian says.
The flaw does not have a fix yet, but the company says in its security advisory that it is working on one with the "highest priority." "We are actively working on a patch for impacted versions and will update the advisory with estimates for completion," it says.
In a Friday update on Twitter, the company says that a patch will be made available to its customers within 24 hours.
We’re aware of a security vulnerability in Confluence Data Center and Server. We expect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours. Please note that Atlassian Cloud sites are not impacted. (1/2)
— Atlassian (@Atlassian) June 3, 2022
The Australian Cyber Security Center also released an alert for this critically rated vulnerability, but says that it is "not aware of successful exploitation within Australia."
The U.S. Cybersecurity and Infrastructure Security Agency added this vulnerability to its Known Exploited Vulnerability Catalog. It says: "These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise."
Vulnerability Discovery
The CVE-2022-26134 vulnerability was reported to Atlassian's security team by researchers at Volexity, a Washington, D.C.-based cybersecurity firm that first observed the active exploitation of the vulnerability over the Memorial Day weekend while doing an incident response for one of its customers. The incident included two internet-facing web servers that were running Atlassian Confluence Server software.
An analysis of the issue enabled the Volexity team to recreate the exploit and find the zero-day vulnerability, the company says. It then informed the Atlassian security team, which confirmed the existence of this vulnerability on Tuesday.
Vulnerability Analysis
During the initial investigation of the vulnerability, Volexity researchers identified a JSP file that had been written into a publicly accessible web directory. Further analysis of the file helped the researchers determine that it was a JSP variant of the China Chopper webshell.
China Chopper is a webshell hosted on web servers to provide access into enterprise networks that do not rely on an infected system calling back to a remote command-and-control server, according to Mitre. This webshell, it says, is used by many threat groups as a primary means of access.
But in the case of Atlassian, the webshell appears to be the secondary means of access, the researchers say.
The researchers also identified bash shells being launched by the Confluence web application process. "This stood out because it had spawned a bash process, which spawned a Python process, that in turn spawned a bash shell," the researchers say.
"Volexity believes the attacker launched a single exploit attempt at each of the Confluence Server systems, which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk," the researchers say.
The vulnerability appears to be just like any other command injection vulnerability, the Volexity team says, adding that the bug was critical in nature and needed "significant attention."
In the post-exploitation phase, the attacker deployed an in-memory copy of the BEHINDER implant. This, the researchers say, gives the attackers "powerful capabilities" that include "memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike."
The advantage of this particular attack technique is that the attacker does not have to write files to the victim's disk. But the disadvantage is that "it does not allow persistence" - meaning a "reboot or service restart will wipe it out," the researchers say.
Immediate Remediation
Atlassian, in its security advisory, says there are no fixed versions of Confluence Server and Data Center currently available. But it advises Confluence customers to either restrict Confluence Server and Data Center instances from the internet or just fully disable Confluence Server and Data Center instances. It says: "If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk."
The researchers at Volexity have some additional recommendations. They ask the companies to:
- Send relevant log files from internet-facing web servers to a SIEM or Syslog server.
- Monitor child processes of web application processes for suspicious processes. In this case, the Python shell is a good example of this, the researchers say.
- Implement IP address access control lists to restrict access to internet-facing systems.
Volexity says that it does not intend to publicly provide proof-of-concept code for the exploit as there is no official fix available. Atlassian says that "further details about the vulnerability are being withheld until a fix is available."